When it comes to managing data storage, many companies face a difficult set of compromises. Data must be accessible, but it must also be kept securely. Cloud data storage is far more cost efficient than on-premises storage, but it can make compliance with data security standards more difficult, and more expensive.
This last consideration has left many companies looking for ways of cutting storage compliance costs. And while companies should not make the mistake of under-funding their data compliance processes and staff, there are some ways that the cost of compliance can be reduced.
One of these, as we have previously explained in our enterprise data storage compliance guide, is to look at compliance frameworks in a comparative way. Do this, and you’ll see that many of the compliance systems that companies have to deal with – from the GDPR to the CCPA – require the same kind of actions, processes, and plans. Let’s break down these key elements.
Also read: GDPR Compliance: What Storage Pros Must Know
Disclosures
Disclosures form the backbone of most public-facing compliance frameworks today. The idea behind the disclosures built into the GDPR and the CCPA (among other frameworks) is to be explicit with your customers as to which data you are collecting from them, what you will do with it, and how you will store it. As with many aspects of data compliance, the GDPR currently has the strictest requirements when it comes to what you will need to put into your disclosures, so it’s a good idea to use your GDPR disclosure as a basis for your other statements.
Privacy Policies
Alongside disclosures are privacy policies. These contain some of the same information as disclosures in that they define how, where, and why you will be collecting, processing, and storing data. However, good privacy policies will contain far more than this — specifying who is responsible for keeping data secure, and the actions you will take if you are made aware of a breach.
Though writing a detailed privacy policy might seem like a lot of work, in reality the process of developing such a policy can be a constructive one. Your policy will form the central document that details your approach to data privacy and security, and if drafted well it can act as a valuable reference guide for years into the future.
Encryption and Anonymizing
Most compliance frameworks today make some mention of anonymization and encryption. However, few spell out precisely how this should be done, or which data need to be encrypted. This is a critical part of PCI compliance, for instance, which requires that payment details be made anonymous if stored in publicly accessible systems, but doesn’t fully define what this means in practice. As a result, PCI compliance in the cloud can be difficult to achieve.
In practice, this means that companies have little choice but to put in place the strongest, most ubiquitous encryption they possibly can, and hope that this is strong enough to meet with compliance approval.
Firewalls and Access Control
Most compliance frameworks specify that access controls must be in place to control access to data. The portion of your data you need to place behind access control systems will vary by framework, though.
HIPAA compliance, for instance, necessitates that you take special measures to control access to patient data, but allow you to share anonymized data with healthcare providers. Knowing which data you must control, and which you can store in a more accessible way, is a key part of making your compliance processes more streamlined.
Audit Logs
Some frameworks also require you to keep audit logs. These are a record of what has been done on your systems, and by who. The idea behind audit logs is that, should a data privacy or security incident arise, you should be able to trace back an audit trail to a single person. While responsibility for breaches is hardly ever just on one person, audit logs form a valuable resource during the post-breach investigation, where they can guide you as to how you can improve your systems.
Retention Schedules
Retention schedules provide details to compliance assessors about how long you keep particular types of data, how you will define how long to keep each type, and how thoroughly you will delete them when they are no longer needed.
Like many of the items on this list, some companies approach retention schedules with a negative mindset; since these documents have to be written to meet compliance assessments, some firms rush them out in order to “pass the test”.
The best way to reach public cloud compliance, however, is to use your retention schedules as a way of proactively planning your data storage requirements. Frequent auditing and deletion of data can significantly reduce the amount you need to spend on storage, but in order to responsibly delete data you need to research and codify how long you are required to keep them for.
Breach Notifications
The final element of most compliance frameworks are breach notifications. These are notices that companies must issue when they become aware of a data breach, so that customers can take appropriate action.
It’s important to check the requirements of your compliance frameworks, because each impose a different schedule when it comes to breach notifications. Most will allow you a certain amount of time to perform forensic examination on your systems, and to identify the source of the breach. However, once you have stopped the immediate damage, you must provide details to your customers.
Adapting to Change
Though each compliance framework imposes different requirements on your company, it’s important to recognize that many of them are built from the same basic elements. This means that reaching compliance, whether for healthcare data or more general considerations with regard to cloud compliance, is best approached by looking at your systems first. By working through each element above, you can begin to do that.